ip: ip_options_compile() resilient to NULL skb route

Scot Doyle demonstrated ip_options_compile() could be called with an skb without an attached route, using a setup involving a bridge, netfilter, and forged IP packets. Let's make ip_options_compile() and ip_options_rcv_srr() a bit more robust, instead of changing bridge/netfilter code. With help from Hiroaki SHIMODA. Reported-by: N Scot Doyle <lkml@scotdoyle.com> Tested-by: N Scot Doyle <lkml@scotdoyle.com> Signed-off-by: N Eric Dumazet <eric.dumazet@gmail.com> Cc: Stephen Hemminger <shemminger@vyatta.com> Acked-by: N Hiroaki SHIMODA <shimoda.hiroaki@gmail.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

ip: ip_options_compile() resilient to NULL skb route
Scot Doyle demonstrated ip_options_compile() could be called with an skb without an attached route, using a setup involving a bridge, netfilter, and forged IP packets. Let's make ip_options_compile() and ip_options_rcv_srr() a bit more robust, instead of changing bridge/netfilter code. With help from Hiroaki SHIMODA. Reported-by: N Scot Doyle <lkml@scotdoyle.com> Tested-by: N Scot Doyle <lkml@scotdoyle.com> Signed-off-by: N Eric Dumazet <eric.dumazet@gmail.com> Cc: Stephen Hemminger <shemminger@vyatta.com> Acked-by: N Hiroaki SHIMODA <shimoda.hiroaki@gmail.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
c65353da · Eric Dumazet · David S. Miller · 49b4947a · c65353da
隐藏空白更改
内联并排

Showing with 3 addition and 3 deletion

net/ipv4/ip_options.c net/ipv4/ip_options.c +3 -3

未找到文件。
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -329,7 +329,7 @@ int ip_options_compile(struct net *net,
 					pp_ptr = optptr + 2;
 					goto error;
 				}
-				if (skb) {
+				if (rt) {
 					memcpy(&optptr[optptr[2]-1], &rt->rt_spec_dst, 4);
 					opt->is_changed = 1;
 				}
@@ -371,7 +371,7 @@ int ip_options_compile(struct net *net,
 						goto error;
 					}
 					opt->ts = optptr - iph;
-					if (skb) {
+					if (rt)  {
 						memcpy(&optptr[optptr[2]-1], &rt->rt_spec_dst, 4);
 						timeptr = (__be32*)&optptr[optptr[2]+3];
 					}
@@ -603,7 +603,7 @@ int ip_options_rcv_srr(struct sk_buff *skb)
 	unsigned long orefdst;
 	int err;

-	if (!opt->srr)
+	if (!opt->srr || !rt)
 		return 0;

 	if (skb->pkt_type != PACKET_HOST)